Detection of cryptographic algorithms with grap

The disassembled code of an executable program can be seen as a graph representing the possible sequence of instructions (Control Flow Graph). grap is a YARA-like tool, completely open-source, and able to detect graph patterns, defined by the analyst, within an executable program. We used grap to detect cryptographic algorithms: we created patterns for AES and ChaCha20 that are based on parts of the assembly code produced by compiling popular implementations (available in LibreSSL and libsodium). Our approach is thus based on the algorithms and their structure and does not rely on constant detection. Identifying cryptographic algorithms used by an executable has multiple applications. It can be used to detect features implemented within the binary (“this program uses AES”, “this binary can verify cryptographic signatures”). Within a platform performing automated analysis one aim can be to extract cryptographic material (the AES key used, a non-standard S-Box). Finally, integrated with existing tools (IDA plugin) it can help a reverse-engineer focus on found areas (“this subroutine looks like a cryptographic function”) or avoid wasting time on known algorithms (“this function implements ChaCha20”). We used grap [TT17a; TT17b] to create detection patterns that are based on the control flow graph of the binaries in order to focus on instruction and flow matching and offer an alternative to constant detection. The paper is organized as follows. First there is an overview of grap with simple examples and a dive into its capabilities and the matching algorithm. Then we explain how we created patterns for AES and ChaCha20, and give insights on advantages and disadvantages of a detection based on CFG matching.